April 14, 2014

How to Protect Yourself From the 'Heartbleed' Bug

Recently, a major security vulnerability named "Heartbleed" has made headlines around the world.  This is a severe vulnerability stemming from a coding mistake in a widely-used security utility called OpenSSL.  The bug affects the encryption technology designed to protect your sensitive data on the Internet, like usernames, passwords and emails (oh my!).

 (Original, unaltered version of this image via Mashable)

Why is this a big deal?

The Heartbleed bug allows potential attackers to sidestep the cryptographic security that normally protects Web communications on sites that use an open-source version called OpenSSL. In essence, the bug allowed attackers to grab random bits of information from Web servers --- information that could include usernames and passwords, the cryptographic "keys" that shield traffic from prying eyes, or even the coded "certificates" that websites use to verify that they are who they say they are. In the worst case, exposure of that information could allow attackers to read all traffic to and from a given site, or even to impersonate the site itself!

Since the flaw is in the OpenSSL encryption code, it's not actually a virus.  But because this vulnerability takes advantage of servers as opposed to devices like a virus does, the best plan for businesses is to update to the latest version of OpenSSL to address the dangers posed.

The severity of the Heartbleed vulnerability cannot be overstated --- this is a big deal.  Several major enterprises (Facebook, Twitter, Pinterest...just to name a few) use OpenSSL and are likely affected by this vulnerability as well. The dangers posed by this vulnerability are very real and could affect you if exploited.  Things that you stored on these supposed 'secure servers' can potentially accessed until this bleed is fixed.  That means passwords, credit card info., personal information, etc.  Studies show that over a half million widely trusted websites have the potential to be affected.



What do I do to fix it?
  • Mashable has created a Heartbleed Hit List on potential pages that you might need to update your security & passwords on.  This list is frequently updated & can tell you which websites are vulnerable and which have been patched.  c|net also has a comprehensive list of the websites that have been patched.  Once a site is no longer vulnerable, it's time to change your password.  You can also use this tool or this tool to help you identify is a site you visit regularly has been affected.
  • The obvious thing to to is change your password.  However, you should only change your password after the afflicted business has fixed its servers & removed the Heartbleed vulnerability.  (Changing your password on a particular site only gives you more protection if that site has already applied to the Heartbleed patch and resolved its vulnerability. If it hasn’t, changing your password in advance could theoretically put you at greater risk. Heartbleed is a vulnerability in a server's memory (RAM), not its data storage, so a hacker has access to things that are being called up by the server not everything that's stored on it. That means that the hacker could ascertain your new password, too.)
  • You could start using a password manager.  You have to decide for yourself if it's worth it, though.  You don't need to remember your passwords, because they're all stored and protected behind one master password that you need to make extremely unguessable.  A warning, though; setup is quite tedious.  Oh, and if you're using someone else's computer, you have to use a an app to check your password for any site/service you want to log into.  Having a password manager isn't a fun time, but protecting yourself from much more annoying, potentially detrimental, problems down the line if your personal information gets hijacked may make it worth the trouble.  Some sites for password management are KeePass, LastPass1Password, Roboform, Dashlane, SplashID & mSecure.